Subject: Re: Addition to force open to open only regular files
To: Bill Studenmund <>
From: Greywolf <>
List: tech-kern
Date: 11/28/2000 15:01:12
On Tue, 28 Nov 2000, Bill Studenmund wrote:

# Vnode locks should NEVER be held when a system call returns to userland.
# If you do that, you open up a huge Denial of Service attack:

D'oh!  You're right, of course!

# reserve(pathname, other options); for (;;;) stat(pathname, &a buffer);
# You've just panic'd the computer. This (the lossage resulting from leaving
# a vnode locked) is called, "the race for root."

Okay, is there a reason that getfh() shouldn't be mortal-enabled? It
already does path checking for accessibility; and since a stat() on a
non-readable file is ok, fhstat shouldn't be a problem, either.
And finally, why not make fhopen() respect the permissions on the given

I.e. why are these calls restricted to the super-user?  They'd be great
for providing against race conditions which might occur in the mortal

I must be missing something.

*BSD: The Power of Code.